As originally reported by Artem Nosulchik The NSA recently released their security configuration guide for Redhat Enterprise 5. This is an excellent (and surprisingly practical) jumping off point for securely configuring a server.
It is written for the mid-level admin, so it expects knowledge of how to get around Linux but doesn’t expect you to be an selinux guru. It could prove especially helpful where you need a reference-able set of best practices you followed for a server that will be audited (i.e. bank web server or server that collects HIPAA-protected data) without spending a fortune on consulting. It certainly leaves a few things out (like reboots after kernel updates), and it also recommends a few things that makes life difficult or impossible to the mission, but in a whole it’s the best concise set of best practices I’ve found. Here’s a quick overview of some things it covers (by no means all inclusive):
- Bootloader/bios configuration: password protect the bootloader to prevent single user mode, shut off external media booting, and password protect the bios setup
- Set up automatic yum updates. As seen in previous posts I tend to disagree with this, but it’s understandable in a high security environment
- Install and configure aide, a tripwire-like IDS. Write a baseline copy of the database to CD and store securely. I tend to think that the latter version of this is of limited usefulness because so many packages get updated over time
- Configure fstab: Add nodev to all except root, add nodev/nosuid/noexec to removable media partitions
- Restrict console permissions to root user, so a nonroot user at the console doesn’t get access to the floppy drive, etc
- Restrict or remove USB support. Watch out to not kill the USB mouse/keyboard (I wonder if they made this mistake in testing.)
- Disable automounting
- Verify permissions of /etc/passwd, /etc/shadow, /etc/group
- Find list of setuid programs and tailor to application (They include a list of the ones that are on by default, and when they recommend turning each off)
- Enable exec-shield (kernel extensions that prevent buffer overflows)
- Restrict access to su to only administrative users. Restrict root-logins to the console.
- Remove telnet, rlogin, rsh, nis, and rcp. Strongly consider removing xinetd
They also have a bunch of service specific best practices that you definitely should have a look at. Everyone who reads it is bound to learn some things and be reminded of some things they’ve forgotten.
February 19th, 2008 at 4:08 pm
Do I need this to download?
April 1st, 2008 at 2:33 pm
also check http://iase.disa.mil/stigs/checklist/index.html
very helpful security checklists and scripts.